I recently shared this info on the RESNET list, so I apologize if anyone is also on that list and has seen it already. :)

-Becky Klein

Here at Valpo, we do several things to help educate our community about cyber threats.

~ First, we use GSuite for email/collaboration. So Gmail automatically blocks a lot of the offending things (such as .exe files), and has great spam filtering. We try to teach people how to use the "report spam" and "report phishing" tools within Gmail to help filter the bad stuff out that does slip through.

~ When we start receiving numerous identical reports of phishing scams circulating campus, we send a campus-wide email reminding people to not share their login information. It usually includes a description of the current scam and points out indicators that show it's not legitimate. (I can forward one of the more recent examples if that would be helpful.) Over the years we've had a lot of people fall victim, from international students all the way up to high-ranking administrators. Since we started emailing campus though (which is probably 3-4 years ago now), the number of victims has dropped dramatically. We have a couple YouTube videos about how to recognize phishing and how to recover from falling victim, and we share those with people to help educate them (both those who are victims, and proactively in our messaging).

~ For 4-5 years now, we've put together a campaign every October for National Cyber Security Awareness Month. I sign us up as a champion, and the campaign has now gotten pretty big: weekly campus-wide emails, daily social media posts, a special page on our website, workshops on campus on security topics (password management, avoiding malware/ransomware, etc), slides for our digital screens, posters distributed in all buildings on campus, table toppers in dining areas, buttons with the NCSAM logo (it's amazing how much students love these), customized workshops available for departments on request. This year I also initiated the "Crusader Cyber Citizen Pledge" (which I shamelessly stole from Florida State) outlining best practices to protect yourself, and promoted that pretty heavily - including a table in our student union with free candy to encourage people to sign.

~ I also sign us up as a champion for Data Privacy Day each January, and craft a small campaign for that

~ For as long as I can remember (I've been on staff since '96 when I was still a student), we've given administrator rights to all users on their computers. A couple months ago we had a situation where a staff member in one of the colleges installed a "registry cleaner" on her 2-week old campus computer; of course it was ransomware in disguise. Since it cost 4 IT staff members a couple days' time, and affected the files of almost 200 people on campus as it spread, we are now starting work on changing this policy to no longer give admin rights. It's going to include a campaign to let people know why we're making the change.

~ We also had a situation a couple months ago where a traveling advancement officer got infected with ransomware while at a hotel. I gave a custom presentation to his entire department on how to protect yourself from cyber threats while traveling.

It seems that most people who fall victim are appropriately embarrassed and they don't tend to repeat their mistakes. They also end up being ambassadors to others in helping them to avoid the same thing happening to them.

What terrifies me the most is whether the scammers will start using my name on their nefarious messages. I handle all the communications for the IT department, so people recognize and trust my name. (No pressure!!) If they start using my name, then it's game over - we'll end up with way too many victims.

Wondering if anyone has any successful best practices, techniques, or tools that have worked for your school to combat the increase in phishing attacks aimed at higher ed (phishing etc.)

In addressing this issue our plan is to educate our students and staff and raise awareness on the topic of Phishing through blog posts, posters and training. I have looked into simulation systems but they are extremely expensive.